recover lost gpg password

Question

I found my old .gnupg directory in a backup and want to use it again. Unfortunately I have lost my password but I have some ideas of what the password was. I have not much understanding of gpg and pgp, however I know the basics of asymmetric cryptography.

My challenge now is to recover that key/password that I might be able to guess by some structure that I recall. So I will need to use some permutation engine that assembles various pieces of that password and checks if it is correct. I could write a script that does but I also could use john the ripper with gpg2john. Trying to figure out which way to go I face some obstacles:

My .gnupg directory is from 2005, created on a Sun system at that time. The directory contains a pubring.gpg and the newer format pubring.gpx. A subdirectory private-keys-v1.d contains 5 .key files.

Trying john first I seem to provide the wrong input.

gpg2john ~/.gnupg/pubring.kbx
File ~/.gnupg/pubring.kbx
can't find PGP armor boundary.


gpg2john ~/.gnupg/pubring.gpg\~
<lots of different messages like>
Hash material(5 bytes):
Sub: image attribute(sub 1)             Image encoding - JPEG(enc 1)
Reason - No reason specified
lots of other stuff
Error: No hash was generated for ~/.gnupg/pubring.gpg~, ensure that the input file contains a single private key only

How can I generate a file that gpg2john expects as input?

All approaches of mine to extract the private key failed because I need the key for that process, which I want to recover ...

---

For the manual approach I would need a way to test if my password is correct. What is the easiest approach here? I am a bit confused because I have 5 .key files. Which one is my private key? gpg --list-keys | grep "My Name" gives me back 3 entries different from the key names in private-keys-v1.d. The keys are labeled [ultimate], [expired], and [revoked].

Whenever I ask gpg to do anything like gpg --export-secret-keys ID > exportedPrivateKey.asc I am getting 2 messageboxes asking for a passphrase for 2 keys. These Ids are found in private-keys-v1.d.

How can I make gpg ask me only for the password of the [ultimate] key?

---

(In this article for me a certificate is the private-public-key tripplet that gpg is using. I might be unclear in what I say for anyone really understanding the concept:)

Ps: I am not sure if the password that I might re-construct belongs to the revoked certificate. If so, can I unlock the private key of the revoked certificate? Can I generate a new certificated based on the revoked one? (I guess not because otherwise revoking does not have any positive security effect). What do I win by getting back the password to a revoked certificate?

Answer 1

I'm not sure if I missed something, but have you simply tried making a backup of the keyring (copy the whole .gnupg folder to be safe) and then deleting keys from it until only the desired one is left? I can't promise that this will work, I always used john with --armor-exported keys.

By the way, the filenames that you see in the private-keys-v1.d subfolder are the keygrip and don't match your key IDs.

You can match keys to their keygrip by using the --with-keygrip parameter (e.g., gpg --with-keygrip --list-secret-keys).

PS: You may find this tutorial helpful — https://github.com/drduh/YubiKey-Guide — while it's written for YubiKey users, it has many advanced concepts that are relevant in general.

Answer 2

I personally believe, that gpg2john needs asc file and your approach to export it using gpg --export-secret-keys ID > exportedPrivateKey.asc is right. Problem, that you does not succeed is perhaps in this change: https://github.com/open-keychain/open-keychain/pull/1182/files

They "disabled" exporting private key with passphrase without entering given passphrase. It is not photographically needed for such operation, but due discussion in issue https://github.com/open-keychain/open-keychain/issues/194 it has been implemented.

I suggest you to export given key using custom compiled version of gpg with given commits reverted.